pith. sign in

arxiv: 2606.00962 · v1 · pith:PM2JSHWFnew · submitted 2026-05-31 · 💻 cs.CR · cs.AI

SS-ZKR: Spatial-Semantic Zero-Knowledge Routing for Privacy-Preserving Multi-Agent Collaboration

Pith reviewed 2026-06-28 17:20 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords privacy-preserving routingzero-knowledge proofsdifferential privacymulti-agent systemsagent interoperabilityspatial policy compilationblind semantic routing
0
0 comments X

The pith

SS-ZKR enables semantic routing of agent payloads across trust boundaries without decrypting content at the router.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents SS-ZKR as a complementary protocol layer for A2A and MCP standards that performs content-based routing while keeping payloads encrypted. Current interoperability methods require intermediaries to decrypt messages for semantic decisions, which conflicts with rules like GDPR, HIPAA, and MiFID II. The protocol uses three mechanisms built on zero-knowledge proofs and differential privacy to achieve blind routing. If the approach holds, regulated sectors could run heterogeneous AI agents across organizations without exposing proprietary data to routing infrastructure. The work includes a threat model, leakage analysis, pseudocode, and complexity comparisons to TEE and homomorphic baselines.

Core claim

SS-ZKR is a three-mechanism privacy-preserving routing protocol that performs blind routing via differentially private semantic intent vectors bound to zero-knowledge proofs of payload-schema consistency, applies vector-weighted adaptive sanitisation with (epsilon, delta)-differential privacy, and compiles visually defined trust-zone topologies into zero-knowledge access circuits.

What carries the argument

The SS-ZKR three-mechanism stack: Mechanism I binds differentially private intent vectors to zero-knowledge proofs for blind routing; Mechanism II performs adaptive sanitisation; Mechanism III translates spatial trust zones into cryptographic circuits.

If this is right

  • Routing intermediaries never need to decrypt agent payloads to make semantic decisions.
  • Enterprises in finance, healthcare, and defence can orchestrate AI agents across regulatory boundaries.
  • The protocol supplies formal (epsilon, delta)-differential privacy for numerical fields and heuristic protection for text.
  • Analytical complexity is lower than TEE-based or fully homomorphic encryption routing alternatives.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The protocol could be layered directly on existing W3C DID and VC identity systems for authenticated agent networks.
  • Spatial policy definitions might extend to dynamic trust zones that change during agent collaboration sessions.
  • Implementation of the provided pseudocode would allow direct measurement of real-world leakage versus the paper's analytical bounds.

Load-bearing premise

The three mechanisms deliver the stated formal privacy guarantees and run efficiently on top of A2A/MCP without new leakage or unacceptable overhead.

What would settle it

A concrete demonstration that payload information can be reconstructed from the published intent vectors beyond the claimed leakage bounds, or measured runtime overhead exceeding the analytical TEE and homomorphic comparisons.

read the original abstract

Foundational agent interoperability standards, notably the Agent-to-Agent (A2A) protocol and the Model Context Protocol (MCP), have advanced multi-agent system communication, and complementary identity frameworks leveraging W3C Decentralised Identifiers (DIDs) and Verifiable Credentials (VCs) provide cryptographic agent authentication. However, no existing protocol supports content-based semantic routing of agent payloads across organisational trust boundaries without requiring the routing intermediary to decrypt the payload, which is a hard constraint in compliance-sensitive environments governed by GDPR, HIPAA, and MiFID II. We propose SS-ZKR, a three-mechanism privacy-preserving routing protocol designed as a complementary layer atop A2A/MCP. Mechanism I introduces blind routing via differentially private semantic intent vectors cryptographically bound to zero-knowledge proofs of payload-schema consistency. Mechanism II offers vector-weighted adaptive payload sanitisation with formal (epsilon, delta)-differential privacy for numerical fields and heuristic semantic aggregation for textual fields. Mechanism III presents a spatial-to-cryptographic policy compiler that translates visually defined trust-zone topologies into deterministic zero-knowledge access circuits. We provide a formal threat model, analyse information leakage bounds of intent vectors, present pseudocode for all three mechanisms, and give analytical complexity comparisons against TEE-based and homomorphic encryption-based routing baselines. SS-ZKR lets enterprises in financial services, healthcare, and defence orchestrate heterogeneous AI agents across regulatory boundaries without exposing proprietary data to routing infrastructure.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 0 minor

Summary. The paper proposes SS-ZKR, a complementary protocol atop A2A/MCP consisting of three mechanisms: (I) blind routing via differentially private semantic intent vectors bound to zero-knowledge proofs of schema consistency, (II) vector-weighted adaptive payload sanitisation providing (ε,δ)-DP for numerical fields and heuristic aggregation for text, and (III) a spatial-to-cryptographic policy compiler converting trust-zone topologies into ZK access circuits. It asserts a formal threat model, information-leakage-bound analysis for intent vectors, pseudocode for the mechanisms, and analytical complexity comparisons versus TEE- and HE-based baselines, enabling enterprises to orchestrate agents across regulatory boundaries without exposing proprietary data to routing infrastructure.

Significance. If the three mechanisms were shown to deliver the stated formal privacy properties with no new leakage channels and acceptable overhead, the result would be significant for compliance-sensitive multi-agent deployments in finance, healthcare, and defence. The work correctly identifies a gap in existing interoperability standards regarding content-based semantic routing without decryption.

major comments (3)
  1. [Abstract] Abstract: the manuscript states that it 'provide[s] a formal threat model, analyse[s] information leakage bounds of intent vectors, present[s] pseudocode for all three mechanisms, and give[s] analytical complexity comparisons', yet none of these elements (threat model, bounds, equations, proofs, pseudocode, or comparisons) appear in the manuscript.
  2. [Abstract] Abstract: the central claim that Mechanism I (DP vectors + ZK proofs), Mechanism II (sanitisation), and Mechanism III (policy compiler) together achieve formal (ε,δ)-DP and zero-knowledge routing 'without exposing proprietary data to routing infrastructure' is asserted without any derivation, proof, error bound, or leakage analysis to support it.
  3. [Abstract] Abstract: the weakest assumption that the mechanisms can be implemented efficiently atop A2A/MCP 'without unacceptable overhead or new leakage' is stated but unsupported by any quantitative results, complexity expressions, or implementation details.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the detailed and constructive report. We acknowledge the discrepancies between the claims in the abstract and the content of the submitted manuscript. We will revise the paper to address these issues by incorporating the missing formal elements.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the manuscript states that it 'provide[s] a formal threat model, analyse[s] information leakage bounds of intent vectors, present[s] pseudocode for all three mechanisms, and give[s] analytical complexity comparisons', yet none of these elements (threat model, bounds, equations, proofs, pseudocode, or comparisons) appear in the manuscript.

    Authors: We accept this observation. The submitted manuscript does not include the stated elements due to an omission during preparation. In the revised version we will add a formal threat model (new Section 3), information-leakage bounds with supporting equations (Section 4), pseudocode for all three mechanisms (Appendix A), and analytical complexity comparisons against the TEE and HE baselines (Section 5). revision: yes

  2. Referee: [Abstract] Abstract: the central claim that Mechanism I (DP vectors + ZK proofs), Mechanism II (sanitisation), and Mechanism III (policy compiler) together achieve formal (ε,δ)-DP and zero-knowledge routing 'without exposing proprietary data to routing infrastructure' is asserted without any derivation, proof, error bound, or leakage analysis to support it.

    Authors: We agree that the privacy claims require explicit derivation and proof. The revision will include a formal proof of the combined (ε,δ)-DP guarantee, a leakage analysis for the intent vectors under the stated threat model, and explicit error bounds for the sanitisation and ZK components. revision: yes

  3. Referee: [Abstract] Abstract: the weakest assumption that the mechanisms can be implemented efficiently atop A2A/MCP 'without unacceptable overhead or new leakage' is stated but unsupported by any quantitative results, complexity expressions, or implementation details.

    Authors: We accept that the efficiency claim lacks quantitative backing in the current draft. The revised manuscript will supply concrete complexity expressions (communication and computation), asymptotic overhead comparisons, and a discussion of potential new leakage channels with mitigation arguments. revision: yes

Circularity Check

0 steps flagged

No derivation chain or equations present to evaluate for circularity

full rationale

The provided manuscript text consists solely of the abstract and high-level mechanism descriptions with no equations, proofs, fitted parameters, self-citations of load-bearing results, or explicit derivation steps. The paper asserts the existence of a formal threat model, leakage-bound analysis, and complexity comparisons but supplies none of these in the visible content. Without any claimed first-principles results or predictions that could reduce to inputs by construction, no circular steps exist. The work is therefore self-contained against the circularity criteria by absence of any mathematical chain to inspect.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No free parameters, axioms, or invented entities can be extracted because only the abstract is available.

pith-pipeline@v0.9.1-grok · 5783 in / 1144 out tokens · 36918 ms · 2026-06-28T17:20:12.960586+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

27 extracted references · 6 canonical work pages · 1 internal anchor

  1. [1]

    Internet of Agents: Weaving a Web of Heterogeneous Agents for Collaborative Intelligence,

    W. Chen, Z. You, R. Li, Y. Guan, C. Qian, C. Zhao, C. Yang, R. Xie, Z. Liu, and M. Sun, "Internet of Agents: Weaving a Web of Heterogeneous Agents for Collaborative Intelligence," in Proc. ICLR, 2025

  2. [2]

    Internet of Agents: Fundamentals, Applications, and Challenges,

    Y. Wang, X. Cao, G. Nan et al., "Internet of Agents: Fundamentals, Applications, and Challenges," IEEE Trans. Cogn. Commun. Netw., accepted, 2025. [Online]. Available: https://arxiv.org/abs/2505.07176

  3. [3]

    Multiagent Systems in Enterprise AI: Efficiency, Innovation and Vendor Advantage,

    Gartner, "Multiagent Systems in Enterprise AI: Efficiency, Innovation and Vendor Advantage," Dec. 2025. [Online]. Available: https://www.gartner.com/en/articles/multiagent-systems

  4. [4]

    Agentic AI Market: Global Industry Analysis and Forecast 2025 –2030,

    MarketsandMarkets, "Agentic AI Market: Global Industry Analysis and Forecast 2025 –2030," Research Report MAI - 2025-AGT, 2025

  5. [5]

    Announcing the Agent2Agent Protocol (A2A),

    Google, "Announcing the Agent2Agent Protocol (A2A)," Google Developers Blog, Apr. 2025. [Online]. Available: https://developers.googleblog.com/en/a2a-a-new-era-of-agent-interoperability/

  6. [6]

    Model Context Protocol,

    Anthropic, "Model Context Protocol," Documentation, 2024. [Online]. Available: https://modelcontextprotocol.io/

  7. [7]

    Decentralized Identifiers (DIDs) v1.0,

    W3C, "Decentralized Identifiers (DIDs) v1.0," W3C Recommendation, Jul. 2022

  8. [8]

    Verifiable Credentials Data Model v1.1,

    W3C, "Verifiable Credentials Data Model v1.1," W3C Recommendation, Mar. 2022

  9. [9]

    Huang, V

    K. Huang, V. S. Narajala, J. Yeoh, J. Ross, R. Raskar, Y. Harkati, J. Huang, I. Habler, and C. Hughes, "A Novel Zero - Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine -Grained Access Control," arXiv:2505.19301, May 2025

  10. [10]

    Loka protocol: A decentralized framework for trustworthy and ethical ai agent ecosystems,

    R. Ranjan, S. Gupta, and S. N. Singh, "LOKA Protocol: A Decentralized Framework for Trustworthy and Ethical AI Agent Ecosystems," arXiv:2504.10915, Apr. 2025

  11. [11]

    AI Agents with Decentralized Identifiers and Verifiable Credentials

    S. Rodriguez Garzon, A. Vaziry, E. M. Kuzu, D. E. Gehrmann, B. Varkan, A. Gaballa, and A. Küpper, "AI Agents with Decentralized Identifiers and Verifiable Credentials," arXiv:2511.02841, Nov. 2025

  12. [12]

    Agent2Agent Protocol is Getting an Upgrade,

    Google, "Agent2Agent Protocol is Getting an Upgrade," Google Cloud Blog, Jul. 2025. [Online]. Available: https://cloud.google.com/blog/products/ai-machine-learning/agent2agent-protocol-is-getting-an-upgrade

  13. [13]

    The Orchestration of Multi -Agent Systems: Architectures, Protocols, and Enterprise Adoption,

    A. Adimulam, R. Gupta, and S. Kumar, "The Orchestration of Multi -Agent Systems: Architectures, Protocols, and Enterprise Adoption," arXiv:2601.13671, Jan. 2026

  14. [14]

    CQRS and Blockchain with Zero-Knowledge Proofs for Multi-Agent Systems,

    F. Fanitabasi, "CQRS and Blockchain with Zero-Knowledge Proofs for Multi-Agent Systems," Int. J. Adv. Comput. Sci. Appl., vol. 15, no. 11, 2024

  15. [15]

    The Agentic Service Bus: A New Architecture for Inter -Agent Communication,

    M. Fauscette, "The Agentic Service Bus: A New Architecture for Inter -Agent Communication," Arion Research, Jan

  16. [16]

    Available: https://www.arionresearch.com/blog/the -agentic-service-bus-a-new-architecture-for-inter- agent-communication

    [Online]. Available: https://www.arionresearch.com/blog/the -agentic-service-bus-a-new-architecture-for-inter- agent-communication

  17. [17]

    What is Microsoft Foundry Agent Service?

    Microsoft, "What is Microsoft Foundry Agent Service?" Microsoft Learn, 2025. [Online]. Available: https://learn.microsoft.com/en-us/azure/foundry/agents/overview

  18. [18]

    2025: The Year Open, Agentic AI Took Center Stage,

    IBM, "2025: The Year Open, Agentic AI Took Center Stage," IBM Think, 2025

  19. [19]

    Internet of Agents Documentation,

    AGNTCY, "Internet of Agents Documentation," Linux Foundation, 2025. [Online]. Available: https://docs.agntcy.org/

  20. [20]

    Practical Techniques for Searches on Encrypted Data,

    D. X. Song, D. Wagner, and A. Perrig, "Practical Techniques for Searches on Encrypted Data," in Proc. IEEE S&P, 2000, pp. 44–55

  21. [21]

    Functional Encryption: Definitions and Challenges,

    D. Boneh, A. Sahai, and B. Waters, "Functional Encryption: Definitions and Challenges," in Proc. TCC, 2011, pp. 253– 273

  22. [22]

    Private Information Retrieval,

    B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, "Private Information Retrieval," in Proc. FOCS, 1995, pp. 41–50

  23. [23]

    Protocols for Secure Computations,

    A. C. Yao, "Protocols for Secure Computations," in Proc. FOCS, 1982, pp. 160 –164

  24. [24]

    Text Embeddings Reveal (Almost) as Much as Text,

    J. Morris, V. Kuleshov, V. Shmatikov, and A. Rush, "Text Embeddings Reveal (Almost) as Much as Text," in Proc. EMNLP, 2023, pp. 12448–12460

  25. [25]

    The Algorithmic Foundations of Differential Privacy,

    C. Dwork and A. Roth, "The Algorithmic Foundations of Differential Privacy," Found. Trends Theor. Comput. Sci., vol. 9, nos. 3–4, pp. 211–407, 2014

  26. [26]

    SP1: A Performant, 100% Open -Source, Contributor -Friendly zkVM,

    Succinct Labs, "SP1: A Performant, 100% Open -Source, Contributor -Friendly zkVM," 2024. [Online]. Available: https://github.com/succinctlabs/sp1

  27. [27]

    Security of Internet of Agents: Attacks and Countermeasures,

    Y. Wang, X. Cao, G. Nan et al., "Security of Internet of Agents: Attacks and Countermeasures," arXiv:2505.08807, May 2025